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@ Improvements hi point of sale and electronic funds transfer systems. 

@ An electronic funds transfer system (EFT) is described 
in which retail terminals located in stores are connected 
through a public switched telecommunication system to 
card issuing agencies data processing centres. Users of the 
system are issued with intelligent secure bank cards, which 
Include a microprocessor, ROS and RAM stores. The ROS 
includes a personal key (KP) and an account number (PAN) 
stored on the card when the issuer issues it to the user. 
Users also have a personal identity number (PIN) which is 
stored or rememt>ered separately. 

A transaction is initiated at a retail terminal when a 
card is inserted in an EFT module connected to the terminal. 
A request message including the PAN and a session key 
(KS) is transmitted to the issuers data processing cenfre. 
The issuer generates an authentication parameter (TAP) 
based upon its stored version of KP and PiN and a time 
variant parameter received from the terminal. The TAP is 
then returned to the terminal In a response message, and 
based upon an imputed PIN. partial processing of the input 
PIN and KP on the card a derived TAP is compared with the 
received TAP in the terminal. A correct comparison indicat- 
ing that the entered PIN is valid. 

The request message includes the PAN encoded under 
the KS and KS encoded under a cross-domain key. Message 
authentication codes (MAG) are attached to message and 



the correct reception and regeneration of a MAC on a mes- 
sage including a term encoded under KS indicates that the 
received KS is valid and that the message originated at a 
valid terminal or card. 
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IMPROVEMENTS IN POINT OF SALE 
AND ELECTRONIC FUNDS TRANSFER SYSTEMS 

Field of the Invention 

This invention relates generally to point of sale and electronic 
funds transfer systems and in particular to the personal verification of 
users of such systems. 

Electronic funds transfer (EFT) is the name given to a system of 
directly debiting and crediting customer and service suppliers' accounts 
at the instant of confirmation of a transaction. The accounts are held 
at a bank, or credit card company's central processing system, which is 
connected to a dedicated network of retailers or service suppliers' data 
processing equipment. In this way no cash or check processing is 
required for the transaction. 

Point of sale (POS) is the name given to retailers' data processing 
systems in which check-out or sale point tills are connected directly to 
a data processing system. Details of current transactions can then be 
used for stock control, updating customer accounts held locally cuxd 
monitoring the retailers flow of business. A POS terminal can include 
the function required for an EFT terminal and be connected to an EFT 
network as well as the local retailers data processing system. 

In a simple application each bank or credit card coii5>any has its 
own network and each customer of the bank has a credit card which can 
only be used on that network, such a network is described in European 
Patent Publication 32193. 

Background of the Invention 



European Patent Publication 32193 (IBM Corporation) describes a 
system in which each user and retailer has a cryptographic key number - 
retailer's key Kr and user's key Kp - which is stored together with the 
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user's account number and retailer's business number in a data store at 
the host central processing unit (cpu) . The retEtiler's key and the user 
key are used in the encryption of data sent between the retailer's 
transaction terminal cmd the host cpu. Obviously only users or cus- 
tomers with their identity numbers and encryption keys stored at the 
host cpu can make use of the system. As the number of users expands 
there is an optimum number beyond which the time taken to look up 
corresponding keys and identity numbers is unacceptable for on-line 
transaction processing. 

The system described is only a single domain and does not involve 
using a personal identification number (PIN). Verification of the 
user's identity is at the host cind without a PIN there is no bar to 
users using stolen c£u:ds for transactions. 

European Patent Publication 18129 (Motorola Inc.) describes a 
method of providing security of data on a communication path. Privacy 
and security of a dial-up data communications network are provided by 
means of either a user or terminal identification code together with a 
primary cipher key. A list of valid identification codes and primary 
cipher code pairs is maintained at the central processing unit. Identi- 
fication code and cipher key pairs, sent to the cpu are compared with 
the stored code pairs. A correct comparison is required before the cpu 
will accept encoded data sent from the terminal. All data sent over the 
network is ciphered to prevent unauthorised access using the the rele- 
vant user or terminal key. 

The system described is a single domain in which all terminal keys 
(or user keys) must be known at a central host location. Hence, th6 
ideas described in the patent do not address a multi-host environment 
and thus are not addressing the interchange problem either. 

UK Patent Application 2,052,513A (Atalla Technovations) describes a 
method and apparatus which avoids the need for transmitting user- 
identification information such as a personal identification number 
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(PIN) in the clear from station to station in a network such as desr 
cribed in the two European Patent Publications mentioned above. The PIN 
is encoded using a randomly generated number at a user station and the 
encoded PIN and the random number are sent to the processing station. 
At the processing station a second PIN having generic application is 
encoded using the received random number and the received encoded PIN 
and the generic encoded PIN are compared to determine whether the 
received PIN is valid. 

This system does not use a personal key and as a consequence for a 
sufficiently cryptographically secure system, it is necessary to have a 
PIN with at least fourteen random characters (four bits each) . This is 
a disadvantage from the human factor point of view as users will have 
difficulty remembering such a long string of characters and the chances 
of inputting unintentionally an incorrect string is very large. If a 
phrase, which a user cein easily remexhber, is employed for a PIN, about 
28 characters are required. Although remeiribering the infomnation is not 
a problem, inputting such a long string of data still presents a htamcin 
factors problem. 

The EFT system made possible by the systems described in the above 
patent applications is limited to a single host cpu holding the accotmts 
of all users, both retailers and customers. 

An EFT system in which many card issuing organisations (banks, 
credit card compcinies, etc.) are connected and many hundreds of retail 
organisations are connected through switching nodes such as telephone 
exchanges, brings many more seciirity problems. 

PCT publication Wo 81/02655 (Marvin Sendrow) describes a multi- 
host, multi-user system in which the PIN is ciphered more than once at 
the entry terminal. The data required to validate and authorise the 
transactions is transmitted to a host computer which accesses from its 
stored data base the data that is required to decipher and validate the 
transaction, including the ciphered PIN. A secret terminal master key 
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must be maintained at each terminal. A list of these master keys is 
also maintained at the host conqputer. 

The maintaining of lists of terminal master keys at each of the 
ccurd issuing organisation's host computers is obviously a difficult 
task, in a con^lex system where the terminal keys aire not controlled 
and, therefore, not knovm by the card issuing host, 

European Patent Publication 55580 (Honeywell Information Systems) 
seeks to avoid the necessity of transmitting PIN information in the 
network by performing PIN verification at the entry point terminal. 
This is achieved by issuing each user with a card that has encoded in 
the magnetic stripe the bank identification (BIN), the user's account 
number (ACCN) eind a PIN offset number. The PIN offset is calculated 
from the PIN, BIN and ACCN. The user enters the PIN at a keyboard 
attached to the terminal, which also reads the PIN offset, BIN and ACCN 
from the card. The terminal then re-calculates a PIN offset from the 
user's entered PIN, the BIN euid ACCN. If the re-calculated PIN offset 
is the same as the PIN offset read from the card then verification of 
the PIN is assumed. This approach has the disadvantage in that the 
system is not involved in the validation and that knowing that the PIN 
offset is calculated from the PIN, the BIN and ACCN, cinyone having 
knowledge of the process can manufacture fraudulent cards with valid 
PINS. 

Advances in microcircuit chip technology has now led to the 
possibility that user cards instead of having user data stored on a 
magnetic stripe can contain a microprocessor with a read only store 
(ROS) . The microprocessor is activated when the card is placed in an 
EFT terminal and the appropriate power and data transmission interface 
connections are made. The microprocessor on the card is controlled by 
control programs stored in the ROS. The users and issuers identifi- 
cation can also be stored in the ROS together with other information. 



Examples of such cards including a microprocessor cire shown in 
Kingdom patent applications 2,081,644A and 2,095,175A. 
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European patent application No. 82306989.3 (IBM) describes a method 
and apparatus for testing the validity of personal identification 
numbers (PIN) entered at a transaction terminal of an electronic funds 
transfer network in which the PIN is not directly transmitted through 
the network. The PIN and the personal account number (PAN) eire used to 
derive an authorisation parameter (DAP) . A unique message is sent with 
the PAN to the host processor where the PAN is used to identify a valid 
authorisation parameter (VAP) . The VAP is used to encode the message 
and the result (a message authentication code MAC) transmitted back to 
the transaction terminal. The terminal generates a parallel derived 
message authentication code (DMAC) by using the DAP to encode the 
message. The DMAC and MAC are compared and the result of the con^arison 
used to determine the validity of the PIN. 

In such a system the generation of DAP as well as VAP is based on a 
short PIN only and is therefore cryptographically weak. Furthermore, 
the EFT transaction terminal has access to all the information carried 
on the identity card which may be regarded as a security weakness in the 
system. The present invention seeks to overcome such deficiencies by 
storing personal key data in a portable personal processor carried on a 
card and only processing the key data on the card. 

In any multi-domain communication network where such domain in- 
cludes a data processor aind in which cryptographically secure transmis- 
sion takes place it is necessary to establish cross domain keys. A 
coimmini cation security system in which cross domain keys are generated 
and used is described in United States Patent No. 4,227,253 (IBM). The 
patent describes a coiranunication security system for data transmissions 
between different domains of a multiple domain communication network 
where each domain includes a host system and its associated resources of 
programs and communication terminals. The host systems and communica- 
tion terminals include data secvirity devices each having a master key 
which permits a variety of cryptographic operations to be performed. 
When a host system in one domain wishes to communicate with a host 



01379'99 

system in another domain, a common session key is established at both 
host systems to permit cryptographic operations to be performed. This 
is accoinplished by using a mutually agreed upon cross-domain key known 
by both host systems and does not rec[uire each host system to reveal its 
master key to the other host system. The cross domain key is enciphered 
under a key encrypting key at the sending host system and under a 
different key encrypting key at the receiving host system. The sending 
host system creates an enciphered session key and together with the 
sending cross-domain key performs a transformation function to re- 
encipher the session key under the cross domain key for transmission to 
the receiving, host system. At the receiving host system, the receiving 
host system using the cross domain key and received session key, per- 
forms a transformation function to re-encipher the received session key 
from encipherment under the cross domain key to encipherment under the 
receiving host system key. With the common session key now available in 
usable form at both host systems, a communication session is established 
and cryptographic operations can proceed between the two host systems. 

Reference to the following publications are included as giving 
general background information in encryption techniques and tentiinology : 

1. IBM Technical Disclosure Bulletin, Vol. 19, No. 11, April 1977, 
p. 4241, "Terminal Master Key Security" by S. M. Matyas and 

C. H. Meyer. 

2. IBM Technical Data Bulletin, Vol. 24> No. IB, June 1981, 

pp. 561-565, "implication for Personal Key Crypto With Insecure 
Terminals" by R.E.Lennon, S.M. Matyas, C. H. Meyer and R. E. Shuck; 

3. IBM Technical Data Bulletin, Vol. 24, No. 7B, December 1981, 

pp. 3906-3909, "Pin Protection/Verification For Electronic Funds 
Transfer" by R. £. Lennon, S. M. Matyas and C. H. Meyer; 
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4. IBM Technical Disclosure Bulletin, Vol. 24, No. 12, May 1982, 
pp. 6504-6509, "Personal Verification and Message Authentication 
Using Personal Keys" by R. E. Lennon, S. M. Matyas and C. H. Meyer; 

5. IBM Technical Disclosure Bulletin, Vol. 25, No. 5, October 1982, 
pp. 2358-2360, "Authentication With Stored KP and Dynamic PAC" by 
R. E. Lennon, S. M. Matyas and C. H. Meyer? 

Summary of the Invention 

The present invention has the advantage that personal identifi- 
cation number (PIN) checking can be carried out at a terminal remote 
from a issuer data processing centre without exposing the PIN to the 
network. This is made possible by using a one-way cipher function to 
generate the authentication parameter, the components of which include a 
personal key (KP) and the PIN to be checked. 

A one-way function is defined as a function for which there is no 
way to deduce the parameters used to perform the function. 

The use of transaction variant parameters generated at the terminal 
and the issuer for each transaction adds further levels of security to 
the system. A transaction variant input ensures that an authentication 
parameter is related to a current transaction and has not been pre- 
generated in the system and later obtained for potential fraudulent use. 
The comparison of received and regenerated transaction variant authen- 
tication parameters at the terminal also ensures that the correct 
transaction Vciriant was received at the issuer and sent in the response 
to the terminal. 

According to the invention there is provided a method of testing 
the validity of personal identification numbers (PIN) entered into an 
electronic funds transfer system (EFT) at a terminal connected through a 
data communication network to a data processing centre in which each 
user of the EFT system has an intelligent secure bank card on which is 



stored a personal key (KP) and a personal account number (PAN) and the 
data processing centre holds a master list of PINs and KPs or a logical 
fxinction of PIN cuid KP indexed by PANs, the method comprising the 
following stej^s: 

1. transmitting the PAN from the card through the terminal to 
the data processing centre, 

2. generating at the data processing centre by a one way 
encipher function at a trcuisaction variant authentication 
parameter (TAP) directly dependent upon the PIN and the KP, 

3. transmitting the TAP to the terminal and storing the TAP at 
the terminal, 

4. receiving from the card user the PIN at the terminal and 
transmitting the PIN to the card, 

5. generating at the ccird a treinsaction variant authentication 
parameter (TAPc) directly dependent upon the entered PIN and 
the stored KP, 

6. transmitting the TAPc from the Ccird to the terminal and at 
the terminal comparing the TAP received from the data 
processing centre with the TAPc received from the card, a 
correct comparison indicating that the entered PIN was 
valid. 

In order that the invention may be fully understood a preferred 
emibodiment thereof will now be described with reference to the accom- 
panying drawings. 

Brief Description of the Drawings 

FIG. 1 is a block schematic showing the component parts of an EFT 
network; 

FIG. 2 is a block schematic of the retail store components of the 
EFT network; 
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FIGS. 3-9 illustrate enciphering techniques used in the preferred 
embodiment; 

FIGS. 10-12 are flow charts illustrating the steps of the method of 
the preferred embodiment; 

FIGS. 13-17 illustrate the message formats used in the preferred 
embodiments . 

Table of Abbreviations 

In the designation of the preferred embodiment, the following 
abbreviations are used: 

AP = authentication peirameter (generated from PAN, KP and PIN) 

BID = bank or card issuer's identity 

KI = interchange key 

KP = personal key 

KMO = host master key 

KMl = first variant of host master key 

KM2 = second variant of host master key 

KM3 = third variant of host master key 

KJCT = terminal master key 

KS = session key 

KSTRl = transaction session key one (randomly or pseudo-randomly 



generated) 



KSTR2 



= transaction session key two (generated from Tiss, term, card 



KSTR3 



and KTRl) 

= transaction, session key three (generated from 



MAC 



PAN 



KTRl 



KTR2 



Tiss, term, card and KTR2) 
= transaction key one (generated from PAN euid KP)- 
= transaction key two (generated from PAN, KP and PIN) 
= message authentication code 
= primary accotuit number 



PIN 



= user's personal identification number 
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Tcard = time-variant information generated by bank card 

Tiss = time-variant information generated by issuer 

Tterm - time-vciricint information generated by terminal 

Ttem,caa:d = time-varicmt information generated from Tterm and Tcard 

using a one-way function 
Tiss, term, card 

= time-variant information generated from Tiss and 

Tterm, card 

TAPl = time-variant authentication parameter (generated from 

Tterm, card and AP) 
TAP2 - time'^variant authentication parameter (generated from 

Tiss, term, card and TAPl) 
TID = terminal ID 

SEQterm = terminal sec[uence number 
SEQiss = issuer sequence number 

Preferred Embodiment of the Invention 

Referring now to Figure 1 an EFT network is shown in which card 
issuing agencies' data processing centres 10 are connected through a 
packet switched communication network 12 through network nodes 14 to 
retail store controllers 16. Each store controller 16 is connected 
directly to the store's EFT transaction terminals 18 which have an 
interface including power and input-output meems for communicating with 
a portable microprocessor 20 contained on a personal identity Ccurd 
issued by one of the card issuing agencies. 

The store controller 16 may also be directly cormected with the 
retailers own data processing centre. 

The retail store con^nents of the network are escpanded in Fig. 2. 
T5ie JEFT transaction terminal may include a point of sale checkout 
terminal 24 including an EFT module 26 and having a consumer module 28 
connected so that a user can key-in data on the module. The store 
computers can also include an enquiry station which is an EFT module 30 
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and consumer module positioned so that users can communicate directly 
with the card issuing agency asking for exan^le for the current balance 
or credit limit on their accounts before making a purchase. 

The consumer modules 28 are a twelve button key pad with, for 
example, a liquid crystal display such as are now in common use for 
other applications, hand calculators, remote TV selectors, etc. 

The EFT modules and point of sale terminals each have their own 
microprocessor and encryption-decryption modules together with read only 
and random access storage devices* The network nodes have a larger 
capacity processor such as the IBM Series 1 processing vmit, (IBM is a 
Registered Trade Mark) . 

In the preferred embodiment of the invention a card issuing agency 
prepares individual user cards for each user. The cards include a 
personal portable microprocessor, a read only store (ROS) , a random 
access memory (RAM) and an encryption device. The ROS for each user 
includes a personal encaryption key (KP) , a user identity code or per- 
sonal account number (PAN) and a card issuer's identity code (BID). The 
KP and PAN, are also stored at the issuing agency's data processing 
centre together with a personal identification number (PIN). BID is a 
code that identifies the issuing agency's data processing centre to the 
EFT network. 

Each unit in the network has an identity code which is used for 
routing messages through the network. 

The EFT modules also include a microprocessor, RAM and ROS stores 
euid an encryption device. Depending upon the further encryption tech- 
niques employed in the network, the store controllers and packet 
switched network nodes contain data processing and encryption devices. 

When the EFT network is set up in order for secxure transmission of 
transaction messages to take place it is necessary to generate identity 
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niunbers and enciphennent keys used at the various nodes of the network. 
These pregenerated quantities are: 



AP - generated at card issuing agency; defined as: E (PAN) ©PAN 

PXNwlvF 

Kl - generated at switch; issuer, acquirer 
KP - generated at issuing agency; 
KMO - generated at issuer, acquirer, switch 
KMT - generated at acquirer 

KTRl " generated at issuer; defined as: D (PAN) ©PAN 

KTR2 - generated at issuer; defined as: D (PAN+l) ® (PAN+1) 

PXNvKP 

PAN - generated at issuer 
PIN - generated at issuer 
TID - generated at acquirer 

64 

Where ® denotes modulo 2 additxon and + denotes modulo 2 addition. 



At initialisation of the system the KP, PIN and PAN quantities are 
used to generate AP, KTRl cuid KTR2, which are unique to each user card. 
The quantities AP, KTRl and KTR2 are stored at the issuer's data pro- 
cessing centre enciphered under the second variant (KM2) of the issuer's 
master key and associated together and enclosed by the PAN for the user. 
The quantities PAN, PIN and KP for each user are also stored offline for 
backup purposes (e.g., in a safe or vault) cUid are erased from main 
memory once AP, KTRl and KTR2 have been generated. 

For each card, a tmique PAN and KP are stored in the cards ROM. 

Each user must store separately or remember the unique PIN. 

A unique TID and KJCT are stored in each terminal and at the asso- 
ciated acquirer. 

A unique KMO for each processing node is stored at that node, i.e., 
issuer, acquirer and switch. 
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During the course of a transaction, some of these values and others 
based upon stored values are generated dynamically at locations in the 
network. 

The Fig. 1 configuration of the system shows a complete organisa- 
tion in which a large retail outlet has its own "in-store" data process- 
ing system. In this case, the retailer's data processing system is 
regarded as the acquirer and the PSS node as the switch. 

In a sinipler organisation where a small retailer may have only one 
terminal connected directly to the PSS node, then the function of the 
acquirer and switch are coihbined and there is no cross-domain transla- 
tion required between acquirer and switch. 

The following cryptographic operations eire available at the host 
system of the issuer, acquirer and switch. 

Encipher Data (ECPH) : 



Decipher Data (DCPH) : 



Set Master Key [SMK] : 

SMK: [KMO] Write Cipher Key KMO in Master Key Storage 

Encipher Under Master Key (EMKO) : 
EMKO: [K] -> E^^(K) 



Re-encipher From Master Key (RFMK) 

E KN, E ] 
KMl^' KMO 



lE^^KN, E„^K] -> 



Re-encipher To Master Key (RTMK) : 
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Translate Session Key (TRSK) : 

TRSK: [E^KM), E^^KS, E^KN2] -> B^^KS 

European Patent Application 821108/49 describes a system for 
performing the TRSK function. 

The following cryptographic operations are available at the 
terminal : 



Load Key Direct (LKD) : 

LKD: [K] load Cipher Key K into Working Key Storage 

Write Master Key (WMK) : 

WMK: [KOT] Write Cipher Key KMT In Master Key Storage 

Decipher Key (DECK) : 

DECK: [Ej^K] Decipher E^^K under the terminal master key KMT 
and load recovered cipher key K into the Working Key 
Storage 

Encipher (ENC) : 

Wl' ^KW<Wl> ^KW^Wn-1^ 
where KW is the current key in the trorlcing key storage. 

Decipher (DEC) : 

DEC: (Yj^,y2,...,Y^] 

Where KW is the current key in the working key storage. 
Encipher Data (ECPH) : 



n 
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Decipher Data (DCPH) : 

-> Dk(V'°k<V*^i 

At this point is is useful to realise that quantities held at the 
issuer are stored enciphered under the processor master key KMO or a 
master key variant KM2. The general decipher-encipher sequence is 
illustrated in Fig. 3. A sensitive quantity (Q) is held in store 
encipher under KM2 (Ej^Q) - The enciphered value is deciphered using 
KM2 as the key and Q is used as the key to decipher a further variable 
KEY stored enciphered under key Q (E^KEY) , The deciphered KEY is then 
enciphered using the master key KMO as the key and the result is 
^KMO^^^^" This first operation is called a RTMK function. 

To use KEY to encipher a further quantity Q2 then E KEY is 

KMO 

deciphered using KMO as the key and the deciphered KEY is used as the 
key in enciphering Q2 giving Ej^Q2. This second operation is called an 
ECPH function. 



These operations all take place in the cryptographically secure 
hardv^are circuits (defined cryptographic facility or security module) 
and consequently while Q and KEY appear in the clear, they are not 
available outside the secure hardware. 

Fig. 4 illustrates the RFMK sequence. A key KI stored enciphered 
with KMl as Ej^(KI) is deciphered using KMl as the key recovering KI in 
the clear. A second key KEY stored under encipherment of KMO as ^j^^^qKEY 
is deciphered using KMO as the key. The result of this decipherment 
(KEY) is then enciphered using KI as the key giving E^^KEY. 

As part of the system initialisation process, the acquirer (or 
other node) generates a series of terminal master keys (rofTi) for all 
the terminals associated with the acquirer system. These keys cire 
protected by being enciphered under the first variant (KMlacq) of the 
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acquirer master key (KM0acq) by an Encipher Master Key function (EMKl) 
to produce the result set forth by the following notation: 

EMKl: (KMTi] -> E^, KMTi. 

KMlacq 

The enciphered terminal keys are stored at the acquirer in a 
cryptographic data set until required for use in a cryptographic opera- 
tion. Each terminal stores its own KMTi generated by the acquirer in a 
secure store. 



When a session is to be established between the acquirer and a 
requesting terminal, it is necessary to establish a common session key 
(KS) between the acquirer and the terminal for secure data communica- 
tion. Thus, the acquirer causes a pseudo random or random nxuhber to be 
generated which is defined as being the session key enciphered under a 
secondary file key KNFacq key, i.e., ^j^^^^q^ retained at the 

acquirer for cryptographic operations during the communication session. 
In order to securely distribute the session key to the requesting 
terminal, the acquirer performs a transformation function which re- 
enciphers the session key from encipherment under the acquirer eecondairy 
file key to encipherment under the terminal master key, i.e., from 
^KNFacq^ ^KMTi^* This transformation function may be defined by 
the notation: 



TRSK: [E,^. KNPacq, E^_ KS, E,^, KMTi] -> E,^.KS 
KMH3acq ^ KNPacq KMHlacq JCMTi 

Since KS is now enciphered under KMTi, it may be transmitted over 
the communication line to bind the requesting terminal to the acc[uirer 
for a communication session. 



When the EFT network is set up and the, initialisation is complete, 
i.e. , the pregenerated values are stored at the respective locations, 
EFT transactions may occur. Each terminal has a sequence number counter 
which provides SEQterm for each transaction message initiated at that 
terminal. Each host also has a sequence nuinber counter which provides 
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SEQiss for each trsunsaction message (Mresp) generated at the host data 
processing centre. These SEQ numbers are provided for audit purposes 
and do not relate directly to the invention. 

The preferred method of testing the validity of messages in the 
network is as follows: 

A transaction is initiated at a POS terminal when a customer's user 
card is inserted in the EFT module. Insertion of the card couples the 
power and data bus connections to the personal portable microprocessor 
(ppm) . 

At the ppm (20 FIG. 1) ; 

Step CI Generate Tcard and transfer this variable to the EFT 

terminal together with card issuer identification (BID) , 
personal account number (PAN) . Other information such as 
credit limit may be passed at this time. 

Tcard is a time variant quantity and the method employs a system of 
time variant quantities in contrast to a universal time reference such 
as a time-of-day clock. This approach avoids synchronisation problems 
among the several generators of the desired time-variant information. 
Each node (ppm (20) , EFT terminal (18) and card issuer host (10) ) 
generates its own time variant quantity, Tcard, Tterm and Tiss, res- 
pectively. (If desired, time-of-day clock values may be included for 
auditing purposes.) 

At the different nodes time variant quantities are obtained by 
combining various ones of the three individual quantities using an 
encipher function. 

At the EFT terminal (18 FIG. 1) : 

Step Tl Generate Tterm and the combined Tterm, card based upon Tcard 
and Tterm. The generation of Tterm, card is illustrated in 
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PIG. 5. The variable Tcaxd is ciphered using the variable 
Tterm as an encryption key. To accomplish this Tterm is 
loaded as the working key using a Load Key Direct (LKD) 
operation and then Tcard is enciphered under Tterm using an 
Encipher (ENC) operation, as follows: 

LKD: [Tterm] load Tterm as the working key. 
ENC: [Tcard] -> E^grm^^"^ 

The result, i.e., ^-pterm^^^^^^^ referred to as Tterm, card 
and stored in the terminals RAM. 

Receive and store other transaction data (Card issuing 
agency BiD, PAN, etc.) 

Formulate a message request (Mreq) having a format shown in 
Fig. 13 which at this time includes the combined time 
variant data Tterm, card generated at the terminal, the 
stored card information, TID and other transaction data. 

The Mreq is formed in a buffer store portion of the terminals RAM 
and includes message address information BID. 

step T4 Transfer Mreq and Tterm to the personal portable micro- 
processor. 

At the ppm : 

Step C2 Osing the received Tterm generate Tterm, card of reference 
using the technique shown in FIG. 5. 



Step T2 



Step T3 



Step C3 



Generate and store a transaction session key (KSTRl) using 
KP and Tterm, card, KSTRl is used as the end to end key 
between the card and the issuer and is generated from PAN 
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and KP read from the card and the card generated (Step T2) 
Ttenn,card» 

The generation of KSTRl is illustrated in FIG. 6. Using the user's 
personal key (KP) as the key the PAN is deciphered and then exclusively 
OR'd with the result to produce a time invariant transaction key KTRl, 
Tterm,card is then deciphered using KTRl as the key to produce the first 
transaction session key KSTRl, 

Step C4 Store in the ppm RAM both KSTRl and Tterm,card. 

Step C5 Compute a message authentication code (MACl card,iss,) on 
the TR portion of Mreq which will include Tterm,card and 
using KSTRl. 

The generation of a message authentication code (MAC) , which uses 
the Encipher Data (ECPH) operation, is illustrated in FIG. 7. The 
method used is the standard cipher block chaining (CBC) mode of DES, 
The inputs defined as XI, X2 ... Xn are 64 bit blocks of the request 
message. The initialising vector ICV is set equal to zero in this 
process. 

The result of the first XOR is then enciphered under the key K. In 
Step C5 the key K=KSTR1 is used. The second block X2 is then XOR'd with 
the result of the first encipherment and the output of this XOR is 
enciphered using key K. This process is continued until Xn is reached 
and the output or part thereof is defined as the MAC. 

Step C6 Transfer the TR portion of Mreq and MACl card, iss to the 
EFT terminal. 

At the EFT termincil; 



Step T5 When the Mreq is received at the terminal, the PAN field of 
Mreq is enciphered under the session key to meet any system 
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privacy requirements* The enciphered PAN then replaces the 
clear PAN in the Mreq which may then be transmitted over the 
comm\ani cation line to the acquirer for transmission to the 
issuer data processing centre via the packet switching 
system PSS (14 Fig. 1) . The encipherment of PAN under the 
session key KS at the terminal may be performed by an 
Encipher Data (ECPH) operation defined by the following 
notation: 

ECPH : [E^MTi^ ' ^KS^^ 

In executing this operation, a decipher key (DECK) operation is 
first performed to decipher ^^j^^^S under control of KMPi to obtain KS 
in clear form as the working key after which an Encipher (ENC) operation 
is performed to encipher PAN vinder control of KS to derive the en- 
ciphered PAN, i.e., E„(PAN). 

Ko 

The Tterm,card field of Mreq is also enciphered in the same manner 
using the Encipher Data (ECPH) operation, as follows: 

ECPH: [E-_,_ . KS , Tterm, card] -> E (Tterm ,card) 

KHxX KS 

and the enciphered Tterm, card replaces the clear Tterm, card in the Mreq. 

Step T6 Transmit the received Mreq, HACXcard,iss, to the issuing 
agency data processing centre via the acquirer system and 
through a packet switched system node (14 FIG. 1) . 

At the Node (or Acquirer System) : 

Identify TID from received Mreq. 

Step Nl Using a Translate Session Key (TRSK) operation, together 

with enciphered key parameters E KNFacq and 

KM3acq 

E„^ KIacq,sw obtained from the acquirer's cryptographic 
KHlacq 
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key data set (CKDS) and the stored enciphered session key 

E _ KS for the terminal designated by TID, re-encipher KS 
KNFacq 

from encipherment under the secondary file key KNFacq to 

encipherment vinder interchange key KIacq,sw (shared with the 

switch) to produce E^^ (KS) , as follows: 

Klacq/SW 

TRSK: [E ^ KNFacq, E^^ KS, EL,,,, KIacq,sw] -> E„ KS 
^ KM3acq ^ KNFacq KMlacq ^ KIacq,sw 

Europeaun Patent Application 821108/49 describes a system for 
performing the TRSK function. 

Place E KS in the transaction message request as shown in 

Klacq , sw 

Fig. 13. 

Step N2 Transmit Mreq to the PSS switch. 
At the Switch : 

. ^ ^ . , ™^ KS from Mreq. Using 

Step SI Extract enciphered session key EKIacq,sw 

a Translate Session Key (TRSK) operation together with 

enciphered key parameters ^j^gw^^^'^^ ^KMlsw^^'"*"^^ 
obtciined from the switch's cryptographic key data set (CKDS) 

and the received enciphered session key E KS, re- 

Kxacq, sw 

encipher KS from encipherment under Klacq, sw to encipherment 
under KIsw,iss, as follows: 

This re-enciphered session key, i.e., E . (KS) , replaces the 

KJLSW , ISS 

previously enciphered session key in Mreq which is then transmitted to 
the card issuing agency data processing centre. 



Step S2 



Trcinsmit Mreq from the switch to the issuer. 



UK9-83-013 



22 



At the Issuer DP Centre: 



Step II Receive and store Mreq and index using TID. Extract 

enciphered session key E KS from Mreq. Using a 

JvXSW f xss 

Re-encipher to Master Key (RTMK) operation together with 
enciphered key parameter E . (KIsw,iss) obtained from the 

KMzXSS 

issuer's cryptographic key data set (CKDS) and the received 

enciphered session key E KS, re-encipher KS from 

KXSW f iss 

encipherment under Klsw^iss to encipherment under the 
issuer's host master key (KMOiss) , as follows: 

store ^j^oiss^ index using TID» Extract E^^Tterm^card 
from Mreq, and decipher the enciphered Tte3na,card by a 
Decipher Data (DCPH) operation using the recovered en- 
ciphered session key E^^. KS to obtain Tterm,card in the 

KMOXSS 

clear as follows: 



^^KMOiss^' Ej^Tterm,card] -> Tterm,card 

Replace the enciphered Tterm,card with the clear Tterm,card 
in Mreq. 

Extract E^^gPAN from Mreq and store in temporary buffer. 
Using a Decipher Data (DCPH) operation together with the 
recovered enciphered session key ^j^Q^gg^' decipher using 
KS to obtain PAN, as follows: 

step 12 The validity of PAN is checked by a table look-up process 

using the received deciphered PAN as an index to the table. 
If the PAN is valid then replace E (PAN) with PAN in Mreq 

Ko 

and continue at Step 13; otherwise continue at Step 117. 



UK9-83-013 23 ^ \ o ( ^ y :y 



step 13 Generate and store a pseudo-random or random time-variant 
quantity Tiss. 

Step 14 Using an Encipher Master Key (EMKO) operation, encipher Tiss 
generated at Step 13 under the issuer's host master key 
(KMOiss), as follows: 

EMKO: [Tiss] -> E^„„. Tiss 

KMOxss 

Generate and store the time-variant Tiss, term, card by using 
an Encipher Data (ECPH) operation together with the en- 
ciphered value of Tiss (i,e., Ej^QiggTiss) used as a key to 
encipher Tterm,card received in Mreq to produce 
E^jl^^^{Tterm,card) , as follows: 

ECPH: [Ej^^^^^Tiss,Tterm,card) -> E^^^^Tterm,card 

where the desired Tiss, term, card is defined as quantity 
^iss^'^®™''^^^^^- 

Step 15 Generate KSTR2 using the RTMK operation of Fig. 3 together 
with the enciphered key parameter EKM2iss^™^^'^® obtained 
from the issuer's CKDS and Tiss, term, card obtained at Step 

14 to produce E_^_ . KSTR2, as follows: 
KMOiss 

fWss'««^"^>' Tiss,tenn,card) -> E^oiss ^ Wss^^^^^' 
term, card) 



where KSTR2 is defined as D^^^^^Tiss, term, card. 



Step 16 



Generate KSTRl using the RTMK operation of Fig. 3 together 

with the enciphered key parameter E KTRl for the 

KM2XSS 

particular cardholder with personal account number (PAN) 
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obtained from the issuer's CKDS and Tterm,card received in 
Mreq to produce E_,^, KSTRl, as follows: 

KHOXSS 

[E^^, KTRl, TteanttrCard] -> K--„_. (D„^,Ttena,Ccird) 
KM21SS KMOlSS KTRl 

where KSTRl is defined as D,^^^Tterm,card 

KTRl 

Step 17 Compute MAClcard,iss of reference on the TR portion of the 
received Mreq by an Encipher Data (ECPH) operation (des- 
cribed by Fig. 7) using enciphered key parameter 

^xTMA* • KSTKL (obtained at Step 16) as follows: 
KnOxss 

ECPH: [E_^. KSTRl, TR] -> MAClcard,iss 
KHOiSS 

where the last or part of the last block of the resulting 
ciphertext is defined as MAClccLrd,iss of reference. 



Step 18 If the MAClcardriss of reference equals the received 

MAClcard,iss then accept the Mreq and continue at Step 19, 
otherwise reject Mreq and continue at Step 117. 



Note that validating the MAC also si multzuieously validates the 
received session key KS. If KS is changed, the deciphered value of 
Tterm,card would be in error and the MAC check in turn would fail. 



A timeliness check at the issuer is, hcTweVer, not possible since 
the issuer at this point has not received time-variant information it 
can check. (Note that Tterm,card as well as KS were generated outside 
the issuer and thus the timeliness of these values cannot be checked by 
the issuer.) This does not present a secvurity weaJmess because the 
information the issuer sends out at this point is of no value to cin 
opponent. (Such information is obtainable by an opponent via stale 
messages sent to the issuer.) 
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Step 19 If there is no reason to reject Mreq (e.g. fiinds are 

available, etc.,) then continue at step 110 otherwise reject 
Mreq and continue at Step 117. 

Step 110 Generate a first time variant authentication parameter 

(TAPl) using an RTMK operation together with the enciphered 
authentication parameter E AP (for the particular 

KM^JLSS 

cardholder with personal account number PAN) obtained from 
the issuer's CKDS and Tterm,card received in Mreq, as 
follows: 



f^KM2iss^' Tterm,card] -> Ej^oiss^^AP^^^'^^^> = ^oiss^^^ 
where TAPl is defined as D^(Tterm,card) . 

Also generate a second time variant authentication parameter 
{TAP2) using a DCPH operation together with the enciphered 
TAPl (i.e., ^oiss^^-*^^ ^ parameter and 

Tiss, term, card obtained at Step 14 to obtain: 

^^KMOiss^^^' Tiss,term,card] -> D^^^Tiss, term, card 
where TAP2 is defined as D Tiss, term, card. 

Air X 

TAPl is defined as D^Tterm,card and is obtained using the RTMK 
function of Fig. 6 where Q is AP (a pregenerated quantity (E 

KP©PIN 

PAN) ©PAN pregenerated during the initialisation process) and KPY is 

Tterm,card. The result of the MMK operation is E^^(TAPl) as follows: 

KMO 

f^KM2iss^' Tterm,card] -> E^^TAPl 

TAP2 is defined as D^^^Tiss, term, card and is obtained in a DCPH 
function by deciphering E^^qTAPI under the master key KMO and then 
deciphering Tiss, term, card using TAPl as the key as follows: 



. / ^? 
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DCPH: [E__._TAP1, Tiss, term, card] -> TAP2 



In summary - 



TAPl = D^'Pterm,card 

TAP2 = D^^^^Tiss, term, card 
TAPl 

Thus, the correct generation TAPl and TAP2 are directly dependent 
upon KP, PIN and PAN. 

Step 111 Formulate Mresp as shown in Fig. 14. 

Step 112 Conqpute MACliss,card on the card transaction response (CTR) 



portion of Mresp by an Encipher Data (ECPH) operation 

(described by Fig. 7) using enciphered key parameter 

E„_KSTR1 (obtained at Step 16) as follows: 
KMO 

KSTRl, CTR) -> MACliss,card. 

)iss 

where the last or part of the last block of resulting 
ciphertext is defined as MACliss,card. 



Step 113 Coinpute MACliss,term on the terminal transaction response 



(TTR) portion of Mresp by an Encipher Data (ECPH) operation 
(described by Fig. 7) using enciphered key parameter 
E KSTR2 (obtained at Step 15) as follows: 




ECPH [E^ 



'KMOiss 



KSTR2, TTR] -> MACliss,term 



where the last or part of the last block of resulting 
ciphertext is defined as MACliss,term. 



Transfer MACliss,term to Mresp. 
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Step 114 Re-encipher the transmission session key KSTR2 from 

encipherment under the issuer's host master key (KMOiss) , 
i-^w ^KMOiss^^*^^ ' encipherment under the interchange 
key KIiss,sw, i.e., E^^^^^^KSTB2 by a Re-encipher From 
Master Key (RFMK) operation using the enciphered key para- 
meter ^KMiiss^ ^^^s®'^^) obtained from the issuer's CKDS and 

the stored enciphered transmission key, i.e. , E KSTR2 

KHOxss 

as follows: 

t^irMHo.,K^iss,sw, E^^. KSTR2] -> E_ . KSTR2 
KMllss KMOiss KIiss,sw 

Transfer E„_. KSTR2 to Mresp. 

KIlSS,SW ^ 

step 115 Transfer E^^PAN from buffer (Step II) to Mresp. Where KP 
is less than a predetermined nxomber of bits then TAP2 is 
also enciphered under KS using an ECPH function as follows: 

tWs8^'^^2] -> E^TAP2 

Transfer TAP2 or the enciphered TAP2 to Mresp depending on 
the size of KP. 

Step 116 Send to the PSS network. Continue at Step S3. 

Step 117 Negative response routine. Formulate Mresp as shown in 

Pig. 15. The data field will include information on why the 
transaction is not to be honoured, i.e., lack of funds, MAC 
check failure, etc. The message will also include Tiss. 

Step 118 Compute MACliss,term on the TTR portion of the negative 

Mresp by an Encipher Data (ECPH) operation (described by 

Fig. 7) using enciphered key parameter E ^. KSTR2 

KMOiss 

(obtained at Step 15) as follows: 
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ECPH: [E_^. KSTR2, TTRD] -> MAC liss,term 
KMOiss 

where the last or part of the last block of resulting, 
ciphertext is defined as MACliss,tem. 

Transfer MACliss,tenn to Mresp. 

Step 119 Send Mresp to the PSS network. Continue at S3. 

At the PSS Switch ; 

Step S3 Extract enciphered session key E . KSTR2 from Mresp. 

KXSW f JLSS 

Using a Translate Session Key (TRSK) operation together with 
enciphered key parameters Ej^^KIiss,sw and ^j^g^^*^'^^^ 
obtained from the switch's CKDS and the received enciphered 
session key E . KSTR2, re-encipher KSTR2 from encipher- 

jxXJLSS f SW 

ment under KXiss,sw to encipherment under Klsw,acq, as 
follows : 



TRSK: (E,^ , KlisSrSW, E^. KSTR2 E^.^ Klsw,acq] 

KM3SW nKIiss,sw KMlsw ^ 

E 

racq 



-> E^^ KSTR2 
iCISW/c — 



Step S4 Replace E (KSTR2) with El KSTR2 in Mresp. 

KX xs s f sw Kx sw f acq 

Step S5 Send positive or negative to the acquirer sls appropriate. 
At the Acquirer : 



Step N3 Extract enciphered transaction session key E KSTR2 

kjlSw f acq 

frcxn Mresp. Using a Translate Session Key (TRSK) opieration 

together with enciphered key parameters E Klsw^acq and 

KHJacq 

^KMlacq*^ obtained from the acquirer's CKDS, re-encipher 
KSTR2 from encipherment under KIsw,acq to encipherment under 
KMT (for the terminal with terminal identifier TID) , to 
produce Ej^^^^^TR2) as follows: 
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Step N4 Replace E KSTR2 with E_^KSTR2 in Mresp. 

Step N5 Send positive or negative Mresp to the terminal as 
appropriate . 

At the EFT terminal 

Step T7 Check to determine whether the message has been received 
within a predetemnined time period by using a time-out 
procedure. If the time is not exceeded then proceed to Step 
T8, else continue at Step T22. 



Step T8 Decipher the enciphered PAN, i.e. , E PAN, by a Decipher 

Data (DCPH) operation using the previously stored enciphered 

session key E^^KS and E__PAN received in Mresp as follows: 
KTrT KS 



PAN 



Store Ej^(PAN) in a temporary buffer and replace with 
the deciphered PAN in Mresp. 

If TAP2 is in enciphered form, i.e., E TAP2, then decipher 
E TAP2 by a Decipher Data (DCPH) operation using the 

KS 

previously stored E^^^KS and Ej^(TAP2) received in Mresp as 
follows: 

Step T9 Store E^^^^^TB2 in an appropriate buffer. 



Step TIO If Mresp is non-negative then go to step Til; otherwise, 
if negative go to Step T14. 
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Step Til Compute MACliss,term of reference of the TTR portion of the 
received Mresp by an Encipher Data (ECPH) operation 
(described by Fig, 7) using received enciphered key para- 
meter Ej^^^^j^TR2 (obtained from Mresp at Step T9) as follows: 

ECPH: [Ej^j^^^TR2, TTR] -> MACliss,tenn 

where the last or pairt of the last block of resulting 
ciphertext is defined as MACliss,term of reference- If 
MACliss,term of reference equals received MACliss,term, then 
accept received message and go to Step T12; otherwise, go to 
Step T14. 



Step T12 If received Tterm,card equals stored Tterm,card (Step Tl) , 
then continue at Step T13; otherwise go to Step T14, 



Step T13 Send the CTR and MACliss,card portions of Mresp to the 
personal portable microprocessor (ppsn) . Go to Step C7. 



Step T14 For a negative response message compute MACliss,term of 

reference on the TTRD portion of the received negative Mresp 
by an Encipher Data (ECPH) operation (described by Fig. 7) 
vising received enciphered key parameter B^^^TRZ (obtained 
from Mresp in Step T9) as follows: 

ECPH: [Ej^j^^^TR2, TTRD] -> MACliss,term 

where the last or part of the last block of resulting 
ciphertext is defined as MACliss,term of reference. If 
MACliss,term of reference equals received MACliss^term then 
continue at Step T15, else go to Step T16- 



Step T15 If received Tterm,card equals stored Ttexm,card (Step Tl) 

then abort the transaction and continue at Step T22. (Since 
a definite negative reply has been received frcxn the issuer, 
no retry is allowed.) Otherwise, go to Step T16. 
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Step T16 The timeliness check and/or MAC check failed* Since there 
is a doubt on the negative or non-negative response the 
system rules may allow one or more retry. That is a return 
to Step CI. After a limited number of unsuccessful retries, 
abort transmission and continue at Step T22. 

At the ppm ; 

Step C7 Receive the CTR and MACliss,card portions of Mresp and 
store Tiss. 

Step C8 Compute MACliss,card of reference on the CTR portion of the 
received Mresp using stored key parameter KSTRl (Step C4) as 
the enciphering key. Generation of a message authentication 
code is illustrated in Fig. 7. 

Step C9 If MACliss,card of reference equals received MACliss,card 
then accept Mresp continue at Step CIO; otheirwise continue 
at Step C17. 

Step CIO If received Tterm,Ccurd equals stored Tterm,card (Step C4) 
then accept Mresp cind continue at Step HI; otherwise, 
continue at Step C17. 

At this point the EFT terminal will display a message indicating to 
the user that the cardholder is now required to enter the PIN on the 
terminal consumer module (28 Fig. 2) if there is agreement on trans- 
action details, amount, etc. 

At User Cardholder: 



Step HI 



Enter PIN into card via terminal after agreeing to the 
transaction details (e.g., amount, etc.). Then continue at 
Step Cll. 
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At the ppan ; 

Step Cll Compute TAPl using PAN, KP, PIN and stored Ttem,card. 

The card user's identification PAN is enciphered using an XOR 
function of KP and the entered PIN as a key. The result of the first 
encipher operation is XOR'd with PAN defining AP. The stored Ttena,card 
is then deciphered using AP as the key to produce TAPl. 

Step C12 Generate KSTR3 using PAN, KP, PIN and stored PIN and 
Tiss , term , card . 

The generation of KSTR3 is illustrated in Pig. 8. The card users 
identification PAN is deciphered using an XOR function on PIN and KP as 
the key. The result of the first decipher operation is XOR"d with PAN 
defining KTR2. Tiss, card, term is then deciphered using KTR2 as the key 
to produce the transaction session key KSTR3. 

Step C13 Store KSTR3 and destroy PIN value. 

Step C14 Send TAPl to terminal. 

At the EFT Terminal ; 

Step T17 Compute Tiss, term, card from stored Tterm,card and issuer 
received Tiss. Compute TAP2 from Card-received TAPl and 
Tiss , term , card. 

The computation of Tiss, term, card is illustrated in Pig. 9. Tiss 

received in Mresp is first loaded as a working key using a Load Key 

Direct (LKD) operation. The stored value of Tterm,card is enciphered 

under Tiss using an Encipher (ENC) operation to produce E , Tterm.card, 

Txss ' 

as follows: 
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UCD: [Tiss] 

ENC: [Ttenn,card] -> E^^^^Ttenn,card 

The computation of TAP2 is accomplished as follows. The card- 
received TAPl is first loaded as a working key using a Load Key Direct 
(LKD) operation. The generated value of Tiss, term, card is deciphered 
tinder TAPl using a Decipher (DEC) operation to produce 

Tiss, term, card, as follows: 

TAPl 
LKD: [TAPl] 

DEC: [Tiss, term, card] -> D^^^Tiss, term, card 
where TAP2 is defined equal to D Tiss, term, card. 



Step T18 If TAP2 equals received TAP2 of reference, then accept PIN 
and continue at Step T19; otherwise if re-entry of the PIN 
is permitted, as the predetermined number of failed attempts 
is not exhausted THEN continue at Step HI; ELSE continue at 
Step T22. 



step T19 Complete the card holder transaction (i.e., hand over goods, 
print receipt , etc . ) . 



Step T20 IF completion successful THEN continue at Step 21; ELSE 
continue at Step T22. 

step T21 Formulate a Message status Mstat (reflecting the outcome of 
the transaction) and send the CSD portion of Mstat to ppm. 
Continue at CIS. The format of the Mstat is shown in Fig. 
16. 

step T22 A negative condition has been detected by the terminal 
(e.g., response timeout, MACliss,term check failed, a 
negative Mresp from issuer due to MAClcard,iss check failure 
at issuer, printer failure, PIN invalid, etc.). 
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Step T23 Formulate a negative status message Mstat as shown in Fig. 

17 cind continue at Step T24. (The code word portion of 
Mstat indicates whether Mstat represents a positive or 
negative status message.) 



Step T24 Store Ej^(PAN) from the Mresp. Compute MAC2term,iss on the 
TSD portion of Mstat (Fig. 16) or on the TFD portion of the 
negative Mstat (Fig. 17) , as appropriate, by an Encipher 
Data (ECPH) operations (described by Fig. 7) using en- 
ciphered key parameter Ej^^^STR2 (obtained from Mresp in 
Step T9) as follows: 

ECPH: [Ej^^^^TR2, TSD] -> MAC2term,iss 



or 



ECPH: tEj^j^^TR2, TFD] -> MAC2term,iss 

where the last or part of the last block of resulting 
ciphertext is defined as MAC2term,iss. 



Replace clear PAN with Sj^PAN. Encipher the received TAPl 
(Step T17) by an Encipher Data (ECPH) operation using 
previously stored enciphered session key Ej^KS as follows: 



ECPH: [Ej^j^r TAPl] -> B^TAPl 

Replace TAPl with E TAPl in Mstat. 

step T25 Send Mstat to issuer via acquirer and switch (MAC2card , iss 

will be absent in all negative status conditions). Conclude 
processing at the termiiuil. 



If a Mstat is generated because a MAC check has fail^ on either a 
positive or negative Mresp, then a Network Administration Centre 



0K9-83-013 35 

processor is informed so that system failures can be monitored and 
possible faults corrected. 

At the piHtt ; 

Step CIS Receive CSD portion of Mstat from terminal. Compute 

HAC2card,iss on the CSD portion of Mstat using stored key 
parameter KSTR3 (Step C13) as the enciphering key. Genera- 
tion of a message authentication code is illustrated in Fig. 
7. 

Step C16 Send positive response cind MAC2card,iss to terminal and 
continue at Step T24- 

Step CI 7 Send negative response to terminal indicating that MAC check 
at Step C9 has failed, and continue at Step T23. (A MAC is 
not calculated here because the check for MACliss,card which 
is end-to-end, failed. Most likely another end-to-end MAC 
will not be successful either. ) 

At the Issuer Host ; 

Step 120 Receive Mstat. If a positive Mstat is received continue at 
Step 121; otherwise, if a negative Mstat is received con- 
tinue at Step 131. 

Step 121 Process positive Mstat. Extract E TAPl as appropriate and 

E PAN from positive Mstat and decipher the enciphered TAPl 

(as appropriate) euid PAN, i.e., E^^TAPl and E^PAN, by a 

Decipher Data (DCPH) operation using the previously stored 

enciphered session key E KS (Step II) as follows: 

KMOXSS 
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Replace enciphered TAPl (as appropriate) and PAN with clear 
TAPl and PAN in Ms tat. 

Step 122 Extract Tiss from Mstat and encipher Tiss under the issuer's 
host master key (KMOiss) by an Encipher Master Key (EMK0) 
operation as follows: 



EMK0: [Tiss] -> E^^. Tiss 

KMOISS 

Extract Tterm,card from Mstat, and generate the time-variant 
Tiss, term, card by an Encipher Data (ECPH) operation using 
enciphered Tiss, i.e., Ej^Qiss*^^®® ' follows: 

ECPH: I^KMOiss^^*^^' ^®"^'Oard] -> E^^^^Tterm, card 

where Tiss, term, caurd is defined as E_. Tterm,card. 

Tiss ' 

Step 123 Regenerate KSTR2 by an RTMK operation using enciphered key 

parameter ^KM2isgKNFlss obtained from the issuer's CKDS and 

Tiss, term, card obtained at Step 122 to produce E,„^. KSTR2, 

KMOiss 

as follows: 



KIMK: [E^^^^^KNFiss , Tiss, term, card] -> 
^Oiss^KNFiss''^^^'^^^'^^^ 

where KSTR2 is defined as D . Tiss, term, card. 

KNIlSS 

step 124 Compute MAC2term,iss of reference on the TSD portion of the 
received Mstat by an Encipher Data (ECPH) operation (des- 
cribed by Fig. 7) using enciphered key parameter 
Ej^Qi3gKSTR2 (regenerated at Step 123) as follows: 

ECPH: CE^oiss^™^' MAC2term,iss 



where the last or part of the last block of resulting 
ciphertext is defined as MAC2term,iss of i^eference. If 
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computed MAC2tenn,iss of reference equals MAC2term,iss 
received in Mstat, then continue at Step 125? otheirwise 
continue at Step 130. 

Step 125 If computed Tiss, term, card (Step 122) equals stored 

Tiss, term, card (Step 14), then continue at Step 126? other- 
wise, continue at Step 130. 

Step 126 Generate KSTR3 by an RTMK operation (Fig, 8) using 

enciphered key parameter E_--. ^KTR2, obtained from the 
issuer's CKDS for the particular cardholder with personal 
account number (PAN), and Tiss, term, card generated at Step 
123, to produce ^jrj^oiss ^^'^^^ ' ^oXIcmsi 

RTMK: lEKM2iss*^^' Tiss, term, card] -> Ej^oiss^KTR2'^^®® 
\^ere KSTR3 is defined as D^^j^Tiss, term, card. 

Step 127 Compute MAC2card,iss of reference on the CSD portion of the 
received Mstat by an Encipher Data (ECPH) operation (des- 
cribed by Fig. 7) using enciphered key parameter 

E . KSTR3 (generated at Step 126) as follows: 
KMOiss 

ECPH: tE_,^. KSTR3, CSD] -> MAC2card,iss 
KMOiss 

where the last or part of the last block of resulting 
ciphertext is defined as MAC2card,iss of reference. If 
computed MAC2ccird , iss of reference equals MAC2card,iss 
received in Mstat, then continue at Step 128? otherwise, 
continue at Step 130. 

Step 128 Accept the transaction and update records. 



Step 129 



Formulate a positive acknowledgement message (Mack) and 
send Mack to the acquirer system to to the terminal's host. 
Continue at Step 137. 
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Step 130 Reject the transaction and initiate a negative acknowledge- 
ment message (Mnak) and send Mnak to the terminal and the 
Network Administration Centre. 

Step 131 Process negative Mstat. Regenerate KSTR2 by an RTMK 

operation using enciphered key peirameter E^^, KNFiss 

KHzXSS 

obtained from the issuer's CKDS and stored Tiss, term, card 

obtained at Step 14 to produce E . KSTR2r as follows: 

KHuiss 

t^iss^"^' Tiss,term,card] -> Ej^p.^^Dj^^^^Ti8s, term, card 

\rtiere KSTR2 is defined as D^^. Tiss, term, card 

KNFxss 

Step 132 Compute MAC2term,iss of reference on the TFD portion of the 
received Mstat by an Encipher Data (ECPH) operation (des- 
cribed by Fig. 7) using enciphered key parameter 
^KMOiss^^^ (regenerated at Step 131) as follows: 

ECPH: [E^„. KSTR2, TFD] -> MAC2term,iss 
KMOiSS 

where the last or peirt of the last block of resulting 
ciphertext is defined as MAC2term,iss of reference. If 
computed MAC2term,iss of reference equals MAC2term,iss 
received in the negative Mstat, then continue at Step 133: 
otherwise continue at Step 136. 

Step 133 Extract Tiss from the received negative Mstat. If the 

received Tiss equals stored Tiss (Step 13) , then continue at 
Step 134; otherwise, continue at Step 136. 

Step 134 Accept the negative Mstat and update records - 



Step 135 



Formulate a positive acknowledgment message (Mack) and send 
Mack to the acquirer system or to the terminal's sponsor 
host. Continue at Step 137. 
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Step 136 Reject the negative Mstat and initiate a negative acknow- 
ledgement message (Mnak) and send Mnak to the tejnninal and 
the Network Administration Centre, 

Step 137 Halt procedure. 

Figures 10, 11 and 12 illustrate the sequence of the steps of the 
method in a flow chart form. Starting with step CI at the personal 
portable microprocessor (FIG. 10) the steps continue to 137 (FIG. 12) 
which ends the transaction. 

The system described above has the added advantage in that when the 
POS terminal is in a supermarket environment the personal verification 
check which typically should take between 1-5 seconds can be initiated 
before the goods are totalled and ccanpleted well before the total amount 
due has been calculated. Unless there is some valid reason for refer- 
ring the user's card there should be no additional delay at the terminal 
for customers using the EFT system for payment of goods. 
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CLAIMS 

1. A method of testing the validity of personal identification numbers 
(PIN) entered into an electronic funds transfer system (EFT) at a 
terminal connected through a data comm\inication network to a data 
processing centre in which each user of the EFT system has an intelli- 
gent secure bank card on which is stored a personal key (KP) and a 
personal account number (PAN) and the data processing centre holds a 
master list of PINs and KPs or a logical function of PIN and KP indexed 
by PANS, the method con^rising the following steps: 

1. transmitting the PAN from the card through the terminal to 
the data processing centre, 

2. generating at the data processing centre by a one way 
encipher function at a transaction variant authentication 
parameter (TAP) directly dependent upon the PIN and the KP, 

3. transmitting the TAP to the terminal and storing the TAP at 
the terxainal, 

4. receiving from the card holder the PIN at the terminal and 
transmitting the PIN to the card, 

5. generating at the card a transaction varismt authentication 
parameter (TAPc) directly dependent upon the entered PIN and 
the stored KP, 

6. transmitting the TAPc from the card to the terminal and at 
the terminal comparing the TAP received from the data 
processing centre with the TAPc received from the card, a 
correct compcirison indicating that the entered PIN was 
valid, 

2. A method as claimed in claim 1 including for each transaction 
initiated at the termal the step prior to step 1 of generating at the 
terminal a transaction variant, 

transmitting the transaction varicint to the card and storing the 
transaction variant on the card. 
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cund in which the transaction variant is transmitted to the data 
processing centre with the PAN and the generation of the TAP at the data 
processing centre and the TAPc at the card is dependent upon the PIN, 
the KP and the transaction variant. 

3. A method as claimed in claim 2 in which the transaction variant 
includes a random or pseudo-random number generated at the card 
logically combined with a random or pseudo-rcindom number generated at 
the terminal. 

4. A method as claimed in claim 3 in which the transaction varicint 
includes a sequence nuniber or time check portion and the data processor 
returns the transaction variant to the terminal with the transaction 
variant authentication parameter and the terminal performs a timeliness 
or sequence check on the returned message. 

5. A method of testing the validity of personal identification numbers 
(PIN) entered into cin electronic funds transfer system (EFT) at a 
terminal connected through a data commixnication network to a data 
processing centre in which each user of the EFT system has an intelli- 
gent secure bank card on which is stored a personal key (KP) and a 
personal account number (PAN) and the data processing centre holds a 
master list of PINs and KPs or a logical fionction of PINs and KPs 
indexed by PANs, the method comprising the following steps: 

1. generating a first transaction variant (Tterm) at the 
terminal whenever a transaction is initiated, euid transmit- 
ting the first transaction variant to the card; 

2. transmitting the PAN from the card and the first transaction 
variant (Tterm) to the data processing centre; 

3. generating at the data processing centre a second trans- 
action variant (Tiss) ^rtienever a transaction message is 
received from a terminal; 

4- generating a first transaction authentication parameter 

(TAPl) dependent upon the logical fxmction of the associated 
PIN and KP and the first transaction variant (Tterm) ; 



UK9-83-013 42 



0137999' 



5. generating a second transaction authentication parameter 
{TAP2) dependent upon the first transaction authentication 
parameter (TAPl) and the second transaction variant (Tiss) j 

6. transmitting the second transaction authentication pcirameter 
(TAP2) and the second treinsaction variemt (Tiss) to the 
terminal? 

7. receiving from the card holder the PIN at the terminal and 
transmitting the PIN to the card; 

8. generating at the Ceurd a first transaction variant authen- 
tication parameter based upon a logical combination of the 
entered PIN and the stored KP and the first transaction 
variant; 

9. transmitting the card generated first transaction vairiant 
authentication parameter to the terminal; 

10. at the terminal generating a second transaction Vciriant 
authentication parameter dependent upon the first trans- 
action authentication parameter received from the card cuid 
the second transaction variant received from the data 
processing centre; 

11. comparing the terminal generated second transaction authen- 
tication parameter with the second transaction authen- 
tication parameter received from the data processing centre, 
a correct comparison indicating that the entered PIN was 
correct. 

6. A method as claimed in claim 5 in which the transaction variant 
includes a sequence number or time check portion and the data processor 
returns the transaction variant to the terminal with the transaction 
variant authentication parameter and the terminal performs a timeliness 
or sequence check on the returned message. 
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